23 October 2018

Workforce Study Methodology and Defining the Gap

2,930,000

That is the size of the global cybersecurity workforce gap. The breakdown is around 498,000 in North America, 136,000 in Latin America, 142,000 in Europe, the Middle East and Africa, with the largest deficit coming in Asia Pacific at 2.14 million. But what does this big, scary number even mean? Where did it come from?

First, this new Cybersecurity Workforce Study from (ISC)² has evolved from past studies to become a more accurate representation of the broader workforce. We surveyed nearly 1,500 professionals around the world who spend at least 25% of their time on cybersecurity activities, which includes IT/ICT professionals who previously may not have been considered part of the cyber workforce.

To ensure our numbers were accurate and representative, we worked with our research partner (Spiceworks) to develop a rigorous sample design for each region. The sample within each country was controlled to ensure a mix of company sizes and industries. Some statistically significant differences between regions noted in the report may be due to regional differences in scale usage.

With a more precise look at who is actually doing the work, we also changed how the gap itself was calculated. Some legacy gap calculations subtracted supply from demand which didn’t consider relevant factors like organizational growth.

For the demand, we start with a calculation of the current percent of organizations with job openings – this represents the expected share of organizations that will have hiring demand. Among organizations surveyed, most (83%) indicated that they had open cybersecurity positions. Next, average hires are estimated. To make the number more precise, we used information across company size and combine these estimates to extrapolate future staffing needs for the total market (all business entities) using data from various government sources.1

Our calculation of the supply includes new entrants to the field – academic and nonacademic alike – which was linked to secondary market data. We also took into account the number of/rate of professionals who historically have shifted into roles with more cybersecurity responsibilities by combining both primary survey data with secondary market data.²

What Does the Gap Mean?

Our research does not propose there are 2.93 million cybersecurity job postings open right now. The (ISC)² Cybersecurity Workforce Study gap is an assessment of the demand for skilled cyber professionals based on the input from the cybersecurity workforce on the front lines every day. But what does this actually mean to the workforce?

Globally 37% of professionals stated the lack of skilled/experienced cybersecurity personnel was their top job concern. Additionally, 63% of respondents said their organizations have a shortage of staff dedicated to cybersecurity, and 60% said their organizations were at a moderate or extreme risk of cyberattacks due to that shortage.

Our industry is painfully aware of the challenges that organizations face when staffing qualified cyber teams, and the purpose of finding and sharing the gap is not to shout that the sky is falling, but rather build awareness of the need for talent and training, and advocate for solutions that will benefit the workforce, and to ultimately inspire a safe and secure cyber world.

Comments

Workforce Study Methodology and Defining the Gap

2,930,000

That is the size of the global cybersecurity workforce gap. The breakdown is around 498,000 in North America, 136,000 in Latin America, 142,000 in Europe, the Middle East and Africa, with the largest deficit coming in Asia Pacific at 2.14 million. But what does this big, scary number even mean? Where did it come from?

First, this new Cybersecurity Workforce Study from (ISC)² has evolved from past studies to become a more accurate representation of the broader workforce. We surveyed nearly 1,500 professionals around the world who spend at least 25% of their time on cybersecurity activities, which includes IT/ICT professionals who previously may not have been considered part of the cyber workforce.

To ensure our numbers were accurate and representative, we worked with our research partner (Spiceworks) to develop a rigorous sample design for each region. The sample within each country was controlled to ensure a mix of company sizes and industries. Some statistically significant differences between regions noted in the report may be due to regional differences in scale usage.

With a more precise look at who is actually doing the work, we also changed how the gap itself was calculated. Some legacy gap calculations subtracted supply from demand which didn’t consider relevant factors like organizational growth.

For the demand, we start with a calculation of the current percent of organizations with job openings – this represents the expected share of organizations that will have hiring demand. Among organizations surveyed, most (83%) indicated that they had open cybersecurity positions. Next, average hires are estimated. To make the number more precise, we used information across company size and combine these estimates to extrapolate future staffing needs for the total market (all business entities) using data from various government sources.1

Our calculation of the supply includes new entrants to the field – academic and nonacademic alike – which was linked to secondary market data. We also took into account the number of/rate of professionals who historically have shifted into roles with more cybersecurity responsibilities by combining both primary survey data with secondary market data.²

What Does the Gap Mean?

Our research does not propose there are 2.93 million cybersecurity job postings open right now. The (ISC)² Cybersecurity Workforce Study gap is an assessment of the demand for skilled cyber professionals based on the input from the cybersecurity workforce on the front lines every day. But what does this actually mean to the workforce?

Globally 37% of professionals stated the lack of skilled/experienced cybersecurity personnel was their top job concern. Additionally, 63% of respondents said their organizations have a shortage of staff dedicated to cybersecurity, and 60% said their organizations were at a moderate or extreme risk of cyberattacks due to that shortage.

Our industry is painfully aware of the challenges that organizations face when staffing qualified cyber teams, and the purpose of finding and sharing the gap is not to shout that the sky is falling, but rather build awareness of the need for talent and training, and advocate for solutions that will benefit the workforce, and to ultimately inspire a safe and secure cyber world.